cleantalk
Vulnerabilities and Security Researches

Splitit, CVE-2025-4105

CVE, Research URL

CVE-2025-4105

Home page URL

Security reports for Splitit

Application

Splitit

Published on
May 21, 2025
Research Description
The Splitit plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on several functions in the 'splitIt-flexfields-payment-gateway.php' file in all versions up to, and including, 4.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change plugin settings, including changing the environment from sandbox to production and vice versa.
Affected versions
Min -, max 4.2.8.
Status
vulnerable
Previous vulnerability researches
Advanced Flamingo (CVE-2023-52226) , Jun 07, 2024
Flamingo , Apr 16, 2025
Flamingo (022a9997dfc335fe7d818f90b085eb691dd3ba3c) , Jun 07, 2024
New vulnerability
Real Time Validation for Gravity Forms (CVE-2025-48330) , Jun 02, 2025
EU/UK VAT Manager for WooCommerce (CVE-2025-47504) , Jun 02, 2025
Tournamatch (CVE-2025-4594) , Jun 02, 2025
WP YouTube Video Optimizer (CVE-2025-4217) , Jun 02, 2025
Relevanssi – A Better Search (CVE-2025-5016) , Jun 02, 2025